Edit tour

Windows Analysis Report
330tqxXVzm.dll

Overview

General Information

Sample name:	330tqxXVzm.dll renamed because original name is a hash value
Original sample name:	2315e86a19005c5e60b0109dbb8dc925.dll
Analysis ID:	1591519
MD5:	2315e86a19005c5e60b0109dbb8dc925
SHA1:	5a810aef694aa0b1ee9dcf35e9f3759d29677346
SHA256:	fca91ac499fbffbcc8b20d876bf84f7833d72825810f628b67098aec7d1c7037
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7380 cmdline: loaddll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7436 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7460 cmdline: rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7520 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 5CE0C05BC5A5A786C0623C16C2D8B3A5)

tasksche.exe (PID: 7752 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 29868284EA8EB1D5DB9949A9112CBAB9)

rundll32.exe (PID: 7448 cmdline: rundll32.exe C:\Users\user\Desktop\330tqxXVzm.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7696 cmdline: rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7712 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 5CE0C05BC5A5A786C0623C16C2D8B3A5)

tasksche.exe (PID: 7844 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 29868284EA8EB1D5DB9949A9112CBAB9)

mssecsvc.exe (PID: 7640 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 5CE0C05BC5A5A786C0623C16C2D8B3A5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
330tqxXVzm.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
330tqxXVzm.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
330tqxXVzm.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvc.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.1415685359.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1388044260.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1402890609.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.1417150192.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000002.1425190508.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000000.1424435837.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1425963319.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 7520	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7640	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7712	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.1eaa084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23d28c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.240496c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.240496c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240496c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240496c.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1edc128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1edc128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1edc128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1edc128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23e1948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e1948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23e1948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.23e1948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1eb9104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb9104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb9104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1eb9104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23d28c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23d28c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.23d28c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1edc128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1edc128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1edc128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1edc128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.240496c.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.240496c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240496c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240496c.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1eaa084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eaa084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x28bde4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x27bbb0:$x3: tasksche.exe 0x28bdc0:$x3: tasksche.exe 0x28bd9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x28be14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x27bc1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24626c:$x7: mssecsvc.exe 0x261b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27bb88:$x8: C:\%s\qeriuwjhrf 0x28bde4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x246254:$s1: C:\%s\%s 0x261b7c:$s1: C:\%s\%s 0x27bb9c:$s1: C:\%s\%s 0x28bd14:$s3: cmd.exe /c "%s" 0x2be268:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.1eaa084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1eaa084.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x28bdc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x28bde8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eaa084.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x27e8fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2528d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25425a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2840a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23dd8e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23dd8e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23dd8e8.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23e1948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e1948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23e1948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1eb50a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb50a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb50a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eb9104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb9104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb9104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 135 entries

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.839153+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.9	49707	TCP
2025-01-15T02:52:25.324530+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.9	49708	TCP
2025-01-15T02:52:26.109082+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.9	49716	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.293871+0100	2024291	1	A Network Trojan was detected	192.168.2.9	61146	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.831070+0100	2024298	1	A Network Trojan was detected	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024298	1	A Network Trojan was detected	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024298	1	A Network Trojan was detected	192.168.2.9	49716	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.831070+0100	2024299	1	A Network Trojan was detected	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024299	1	A Network Trojan was detected	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024299	1	A Network Trojan was detected	192.168.2.9	49716	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.831070+0100	2024301	1	A Network Trojan was detected	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024301	1	A Network Trojan was detected	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024301	1	A Network Trojan was detected	192.168.2.9	49716	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.831070+0100	2024302	1	A Network Trojan was detected	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024302	1	A Network Trojan was detected	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024302	1	A Network Trojan was detected	192.168.2.9	49716	104.16.166.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:23.831070+0100	2803304	3	Unknown Traffic	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2803304	3	Unknown Traffic	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2803304	3	Unknown Traffic	192.168.2.9	49716	104.16.166.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 330tqxXVzm.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen
Source: C:\Windows\mssecsvc.exe	Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 93%
Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 92%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Source: 330tqxXVzm.dll	Virustotal: Detection: 90%			Perma Link
Source: 330tqxXVzm.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected
Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 330tqxXVzm.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 11_2_004018B9 CryptReleaseContext,

11_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: 330tqxXVzm.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49875 version: TLS 1.0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.9:49707 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.9:49707 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.9:49707 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.9:49707 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.9:49716 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.9:49716 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.9:49716 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.9:49716 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.9:49708 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.9:49708 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.9:49708 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.9:49708 -> 104.16.166.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:23 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902239e47ab47ce4-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:25 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902239ed8c5e0ca0-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:26 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902239f2bc700cb4-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.9:61146 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49707 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49716 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49708 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.9:49716
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.9:49708

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49875 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: mssecsvc.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000006.00000002.1420255379.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1426826797.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1426826797.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 0000000A.00000002.1426826797.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/.
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/JH
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/JI
Source: mssecsvc.exe, 00000006.00000002.1420255379.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/f
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/lC
Source: mssecsvc.exe, 0000000A.00000002.1426826797.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ll
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s
Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com32zI
Source: mssecsvc.exe, 00000008.00000002.2050645566.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 00000006.00000002.1420255379.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comP4

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

11_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: 330tqxXVzm.dll, type: SAMPLE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23d28c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23dd8e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e1948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb50a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb9104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1415685359.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1388044260.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1402890609.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1425963319.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 330tqxXVzm.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 330tqxXVzm.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eaa084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23d28c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23d28c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23d28c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23dd8e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23dd8e8.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23e1948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e1948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1eb50a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb50a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eb9104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb9104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.1417150192.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.1425190508.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.1424435837.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 11_2_00406C40	11_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 11_2_00402A76	11_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 11_2_00402E7E	11_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040350F	11_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 11_2_00404C19	11_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 11_2_0040541F	11_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 11_2_00403797	11_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 11_2_004043B7	11_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 11_2_004031BC	11_2_004031BC

Source: mssecsvc.exe.4.dr	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.6.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: 330tqxXVzm.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 330tqxXVzm.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 330tqxXVzm.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eaa084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23d28c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240496c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1edc128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.23e1948.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1eb9104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23d28c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23d28c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1edc128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240496c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eaa084.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23dd8e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23dd8e8.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23e1948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e1948.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1eb50a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb50a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eb9104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb9104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.1417150192.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.1425190508.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.1424435837.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000002.1425190508.000000000040E000.00000008.00000001.01000000.00000007.sdmp, 330tqxXVzm.dll, tasksche.exe.6.dr, mssecsvc.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/3@1/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	11_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03

Source: 330tqxXVzm.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\330tqxXVzm.dll,PlayGame

Source: 330tqxXVzm.dll	Virustotal: Detection: 90%
Source: 330tqxXVzm.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\330tqxXVzm.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\330tqxXVzm.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 330tqxXVzm.dll

Static file information: File size 5267459 > 1048576

Source: 330tqxXVzm.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 11_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 11_2_00407710 push eax; ret		11_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 11_2_004076C8 push eax; ret		11_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 7720	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7720	Thread sleep time: -190000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7724	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7724	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7720	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: mssecsvc.exe, 00000006.00000002.1420255379.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=V6i
Source: mssecsvc.exe, 00000006.00000002.1420255379.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1420255379.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2051202536.0000000000C29000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1426826797.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.1426826797.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 0000000A.00000002.1426826797.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnKNr

Source: C:\Windows\tasksche.exe

Code function: 11_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 11_2_004029CC free,GetProcessHeap,HeapFree,

11_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
330tqxXVzm.dll	90%	Virustotal		Browse
330tqxXVzm.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
330tqxXVzm.dll	100%	Avira	TR/Ransom.Gen
330tqxXVzm.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvc.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label	Link
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comP4	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com32zI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	mssecsvc.exe.4.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ll	mssecsvc.exe, 0000000A.00000002.1426826797.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comP4	mssecsvc.exe, 00000006.00000002.1420255379.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/.	mssecsvc.exe, 0000000A.00000002.1426826797.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/JI	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/JH	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/f	mssecsvc.exe, 00000006.00000002.1420255379.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com32zI	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/lC	mssecsvc.exe, 00000008.00000002.2051202536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000008.00000002.2050645566.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.219.67.1	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
103.231.236.3	unknown	unknown	133491	STI-INSynchronossTechnologiesIndiaPrivateLimitedIN	false
103.231.236.2	unknown	unknown	133491	STI-INSynchronossTechnologiesIndiaPrivateLimitedIN	false
103.231.236.1	unknown	unknown	133491	STI-INSynchronossTechnologiesIndiaPrivateLimitedIN	false
40.79.112.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
201.22.142.37	unknown	Brazil	18881	TELEFONICABRASILSABR	false
6.122.130.1	unknown	United States	3356	LEVEL3US	false
54.65.187.164	unknown	United States	16509	AMAZON-02US	false
17.6.41.1	unknown	United States	714	APPLE-ENGINEERINGUS	false
190.228.30.2	unknown	Argentina	7303	TelecomArgentinaSAAR	false
190.228.30.1	unknown	Argentina	7303	TelecomArgentinaSAAR	false
206.13.39.203	unknown	United States	7018	ATT-INTERNET4US	false
54.65.187.1	unknown	United States	16509	AMAZON-02US	false
5.219.67.11	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
61.53.130.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
48.0.238.151	unknown	United States	2686	ATGS-MMD-ASUS	false
113.88.91.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
89.64.173.1	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
132.224.47.164	unknown	United States	16989	UTMEMUS	false
134.82.208.174	unknown	United States	40591	BUCKNELLUNIVERSITYUS	false
65.24.132.1	unknown	United States	10796	TWC-10796-MIDWESTUS	false
40.90.175.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
78.233.46.2	unknown	France	12322	PROXADFR	false
78.233.46.1	unknown	France	12322	PROXADFR	false
136.179.52.139	unknown	United States	23005	SWITCH-LTDUS	false
40.90.175.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
134.82.208.1	unknown	United States	40591	BUCKNELLUNIVERSITYUS	false
9.126.239.2	unknown	United States	3356	LEVEL3US	false
9.126.239.1	unknown	United States	3356	LEVEL3US	false
136.179.52.2	unknown	United States	23005	SWITCH-LTDUS	false
136.179.52.1	unknown	United States	23005	SWITCH-LTDUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591519
Start date and time:	2025-01-15 02:51:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	330tqxXVzm.dll renamed because original name is a hash value
Original Sample Name:	2315e86a19005c5e60b0109dbb8dc925.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/3@1/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.23.77.188, 172.202.163.200, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 7752 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:52:24	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:52:58	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
9.126.239.1	ks9ET1786D	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	v9xYj92wR3.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	bopY0ot9wf.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	hzQNazOx3Z.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	sEVVq8g1dJ.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	EXTERNAL Your company's credit limit has changed!.msg	Get hash	malicious	Unknown	Browse	13.89.179.14
	Eastern Contractors Corporation Contract and submittal document.eml	Get hash	malicious	Unknown	Browse	40.126.32.138
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	22.174.74.1
	bopY0ot9wf.dll	Get hash	malicious	Wannacry	Browse	20.51.106.1
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	52.178.54.35
	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	20.49.104.18
	FjSrGs0AE2.dll	Get hash	malicious	Wannacry	Browse	22.184.197.1
	mlfk8sYaiy.dll	Get hash	malicious	Wannacry	Browse	13.103.137.252
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	52.252.59.4
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	21.20.144.1
TELEFONICABRASILSABR	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	191.205.25.1
	meth3.elf	Get hash	malicious	Mirai	Browse	191.30.36.86
	arm4.elf	Get hash	malicious	Unknown	Browse	177.204.123.100
	ppc.elf	Get hash	malicious	Unknown	Browse	179.101.252.41
	m68k.elf	Get hash	malicious	Unknown	Browse	152.240.132.117
	x86.elf	Get hash	malicious	Unknown	Browse	189.18.16.126
	meth4.elf	Get hash	malicious	Mirai	Browse	179.161.91.91
	spc.elf	Get hash	malicious	Unknown	Browse	177.199.97.62
	arm5.elf	Get hash	malicious	Unknown	Browse	179.84.163.165
	x86_64.elf	Get hash	malicious	Unknown	Browse	189.69.170.51
TCIIR	meth8.elf	Get hash	malicious	Mirai	Browse	5.219.16.166
	elitebotnet.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	2.187.217.117
	3.elf	Get hash	malicious	Unknown	Browse	2.183.228.48
	3.elf	Get hash	malicious	Unknown	Browse	2.184.242.166
	sora.mips.elf	Get hash	malicious	Unknown	Browse	5.238.3.30
	sora.sh4.elf	Get hash	malicious	Unknown	Browse	5.190.71.144
	spc.elf	Get hash	malicious	Mirai	Browse	5.190.23.206
	x86.elf	Get hash	malicious	Mirai	Browse	5.238.41.178
	3.elf	Get hash	malicious	Unknown	Browse	2.181.161.146
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	2.184.235.86

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://reviewpolicysocialreach.vercel.app/help&z/	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	23.206.229.209
	https://cdn.trytraffics.com/rdr/YWE9MzU1NTgxMDE3JnNlaT0zMDE4NjQ3NyZ0az1JaVpNVjJSRDNza0FlTER2TTdvRyZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://teiegroj.cc/ZH/	Get hash	malicious	Telegram Phisher	Browse	23.206.229.209
	http://onlineausde.andhrauniversity.edu.in/studentLogin/Payments/	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://nnsnsupport.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	mitel.docx	Get hash	malicious	Unknown	Browse	23.206.229.209

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.602176411288398
Encrypted:	false
SSDEEP:	98304:QqPoBkaRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPlCxcxk3ZAEUadzR8yc4Hj
MD5:	29868284EA8EB1D5DB9949A9112CBAB9
SHA1:	CE695039175FE31CFB10B10FADEC1C0523C72279
SHA-256:	81505522B84444CB5F006FB60330421C51012B7F60D04FD79F837F5297E217A9
SHA-512:	C7726A5A3993CA69DA148C3FD837806EB2226A3074142B8CA07D70EAE2425A1EFFB81B95E63D5E4B2B6CA46CE653C20C475D8C0002873F352EDC3A0DAF81C7D3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	7.558634766428725
Encrypted:	false
SSDEEP:	98304:yDqPoBkaRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqPlCxcxk3ZAEUadzR8yc4HI
MD5:	5CE0C05BC5A5A786C0623C16C2D8B3A5
SHA1:	C84BA976F9957E0DEC7946AADA3595991C7530EA
SHA-256:	65CA8BE3052D01A3EC269E7236307F455178E84AB7932FA6A57CD164BC5194A1
SHA-512:	E4B948E3B59DA4416353D7D1C73ACE1371C349AB2715393CA46F454F52C72F1799D13DA8FC575798143B4C8E445CEBD311101E252E617845496E50DACB376972
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.602176411288398
Encrypted:	false
SSDEEP:	98304:QqPoBkaRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPlCxcxk3ZAEUadzR8yc4Hj
MD5:	29868284EA8EB1D5DB9949A9112CBAB9
SHA1:	CE695039175FE31CFB10B10FADEC1C0523C72279
SHA-256:	81505522B84444CB5F006FB60330421C51012B7F60D04FD79F837F5297E217A9
SHA-512:	C7726A5A3993CA69DA148C3FD837806EB2226A3074142B8CA07D70EAE2425A1EFFB81B95E63D5E4B2B6CA46CE653C20C475D8C0002873F352EDC3A0DAF81C7D3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.925803926570659
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	330tqxXVzm.dll
File size:	5'267'459 bytes
MD5:	2315e86a19005c5e60b0109dbb8dc925
SHA1:	5a810aef694aa0b1ee9dcf35e9f3759d29677346
SHA256:	fca91ac499fbffbcc8b20d876bf84f7833d72825810f628b67098aec7d1c7037
SHA512:	b16a97c5de9cc5358b137fb1f7139907c106de42271c98e463f975429000ff0afe7215dbadbb3ecf956f8f15d15effde3b6702a090b33914b5fa4cda78e5be3f
SSDEEP:	98304:+DqPoBkaRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPlCxcxk3ZAEUadzR8yc4H
TLSH:	6F363394522CA2BCF1550DB44063896AF7B33C6997FA4F1F87C046AA0D53B9BBBD0B41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F6B7D2A2D8Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F6B7D2A2DA8h
cmp esi, 01h
je 00007F6B7D2A2D87h
cmp esi, 02h
jne 00007F6B7D2A2DA4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F6B7D2A2D8Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F6B7D2A2D8Eh
push edi
push esi
push ebx
call 00007F6B7D2A2C9Ah
test eax, eax
jne 00007F6B7D2A2D86h
xor eax, eax
jmp 00007F6B7D2A2DD0h
push edi
push esi
push ebx
call 00007F6B7D2A2B4Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F6B7D2A2D8Eh
test eax, eax
jne 00007F6B7D2A2DB9h
push edi
push eax
push ebx
call 00007F6B7D2A2C76h
test esi, esi
je 00007F6B7D2A2D87h
cmp esi, 03h
jne 00007F6B7D2A2DA8h
push edi
push esi
push ebx
call 00007F6B7D2A2C65h
test eax, eax
jne 00007F6B7D2A2D85h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F6B7D2A2D93h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F6B7D2A2D8Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	2277e580fb07452ea803bdde3d6b8791	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.7055644989013672

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T02:52:23.293871+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.9	61146	1.1.1.1	53	UDP
2025-01-15T02:52:23.831070+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:23.831070+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:23.831070+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:23.831070+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:23.831070+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.9	49707	104.16.166.228	80	TCP
2025-01-15T02:52:23.839153+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.9	49707	TCP
2025-01-15T02:52:25.323207+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:25.323207+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.9	49708	104.16.166.228	80	TCP
2025-01-15T02:52:25.324530+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.9	49708	TCP
2025-01-15T02:52:26.108154+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.9	49716	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.9	49716	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.9	49716	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.9	49716	104.16.166.228	80	TCP
2025-01-15T02:52:26.108154+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.9	49716	104.16.166.228	80	TCP
2025-01-15T02:52:26.109082+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.9	49716	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:52:15.924014091 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.926311970 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.933418036 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.933458090 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.933507919 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.935456038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.935516119 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.940294981 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.942518950 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.942531109 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:15.942584038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.944421053 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.944524050 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:15.949352026 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.031058073 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.033962965 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.035799026 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.035870075 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.035893917 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.035923004 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.038094997 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.038139105 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.042924881 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.044986010 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.044998884 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.045047998 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.047005892 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.047103882 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.051961899 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.133641005 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.135519981 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.136230946 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.136245012 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.136286974 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.136313915 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.137973070 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.138020039 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.142812014 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.145494938 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.145507097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.145637035 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.147357941 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.147423983 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.153253078 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.237108946 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.237124920 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.237188101 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.239353895 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.239509106 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.243871927 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.245398998 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.245749950 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.246618986 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.246633053 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.246696949 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.248574018 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.248661995 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.254462957 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.298903942 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.338610888 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.341259956 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.342380047 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.342447042 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.344001055 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.344995022 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.346100092 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.347029924 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.348803997 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.348928928 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.348946095 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.348994017 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.349009991 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.351361036 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.351984978 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.356219053 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.400377989 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.439537048 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.441932917 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.442449093 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.442523956 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.444175959 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.446764946 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.446825027 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.448478937 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.451472044 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.451489925 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.451548100 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.453753948 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.454478025 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.458534002 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.500686884 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.542083025 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.543751955 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.543951988 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.544024944 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.545483112 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.548603058 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.549262047 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.550652027 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.554420948 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.554449081 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.554498911 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.556442976 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.556443930 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.557092905 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.561338902 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.604307890 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.643927097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.643945932 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.644043922 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.646833897 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.647389889 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.651649952 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.651992083 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.653585911 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.657116890 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.657145023 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.657180071 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.657196045 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.659286976 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.659964085 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.664122105 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.708378077 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.750844002 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.753196955 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.754817009 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.754889965 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.756608009 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.758030891 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.758091927 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.758126020 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.758153915 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.758176088 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.760428905 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.761156082 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.765290976 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.812367916 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.845472097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.847657919 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.852922916 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.853019953 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.853612900 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.854620934 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.856697083 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.858367920 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.861685991 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.861721992 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.861749887 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.861780882 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.864125967 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.864526987 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.870058060 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.913453102 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.951117992 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.953711987 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.954773903 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.954840899 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.956568956 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.959691048 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.960726976 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.962383032 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.965328932 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.965406895 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.965473890 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:16.965528965 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.967848063 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.968470097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:16.972723961 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.016398907 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.054063082 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.056788921 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.061665058 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.064958096 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.067090034 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.067923069 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.067938089 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.067979097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.068000078 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.070822954 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.071461916 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.075649977 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.116435051 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.127204895 CET	49675	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:17.127207994 CET	49676	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:17.152299881 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.154517889 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.158344030 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.159327984 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.160041094 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.164927959 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.166332960 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.168056011 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.171053886 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.171072006 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.171087027 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.171103954 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.171129942 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.173490047 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.174247026 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.178311110 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.220367908 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.255588055 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.257631063 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.261562109 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.261631012 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.262541056 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.263247013 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.268075943 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.268956900 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.270664930 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.273900986 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.273916960 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.273947001 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.273969889 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.276387930 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.277013063 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.281243086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.324315071 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.358776093 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.361869097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.364423037 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.366446972 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.366688967 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.371272087 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.371854067 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.373742104 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.377168894 CET	49674	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:17.377419949 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.377465963 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.377489090 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.377521038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.379801989 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.379913092 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.384676933 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.432315111 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.471901894 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.471968889 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.472038031 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.474519014 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.474591017 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.475370884 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.477283955 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.479351044 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.479468107 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.480300903 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.480338097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.480360031 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.480395079 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.482307911 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.482364893 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.487211943 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.528428078 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.573452950 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.575895071 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.575913906 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.575970888 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.581020117 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.581058979 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.581090927 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.583858013 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.588736057 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.594770908 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.595786095 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.598088980 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.599704027 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.600718021 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.602948904 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.604444027 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.609972000 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.682218075 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.693684101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.693818092 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.700687885 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.705615044 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.705660105 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:17.705692053 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:17.752186060 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.073695898 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.078465939 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.100183964 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.102678061 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.105014086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.107404947 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.120769024 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.125622988 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.140856981 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.145642042 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.172025919 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.200773954 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.200812101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.200895071 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.237513065 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.237596989 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.291147947 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.337368011 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.341522932 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.346343994 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.353158951 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.357001066 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.361043930 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.361833096 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.412333012 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.435667038 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.448666096 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.448904991 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.452591896 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.456554890 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.456633091 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.475159883 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.475481033 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.476883888 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.479990959 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.480321884 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.481683016 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.509884119 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.514681101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.539330959 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.576045990 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.576071978 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.576108932 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.604129076 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.605675936 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.607345104 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.607399940 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.610568047 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.639014006 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.639529943 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.644406080 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.666681051 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.670810938 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.704996109 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.705014944 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.705115080 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.718177080 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.726579905 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.731425047 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.740801096 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.740818024 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.740916014 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.754498959 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.755033016 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.759879112 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.801814079 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.804380894 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.822098017 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.824260950 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.831368923 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.833318949 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.884354115 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.936080933 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.937669039 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.937766075 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.938925028 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.940460920 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.941879034 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.941925049 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.941957951 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.941989899 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.943670034 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.944267035 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.944345951 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:18.945197105 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.949047089 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:18.949130058 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.028250933 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.030689955 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.035583973 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.039789915 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.042305946 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.043126106 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.043152094 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.043190956 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.043222904 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.045284986 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.045380116 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.050236940 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.092427015 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.126334906 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.129101038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.133701086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.133991957 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.135756969 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.140532970 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.140713930 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.142446995 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.145759106 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.145783901 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.145821095 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.145847082 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.148200035 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.148900032 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.152987957 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.200465918 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.231343985 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.234792948 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.236371040 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.238497019 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.239660025 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.243388891 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.243685007 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.245470047 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.248423100 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.248476982 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.248485088 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.248531103 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.250386000 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.250538111 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.258327961 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.297224998 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.333976030 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.336544037 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.340114117 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.342096090 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.342364073 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.346812963 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.346904993 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.348993063 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.353290081 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.353315115 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.353368998 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.355370045 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.355464935 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.360220909 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.400378942 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.437694073 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.440411091 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.442840099 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.442909956 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.444902897 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.445288897 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.450036049 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.451010942 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.452877998 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.454327106 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.454344988 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.454386950 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.454412937 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.456835985 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.456952095 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.461680889 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.504384995 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.540726900 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.542979002 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.544884920 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.546792984 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.549410105 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.552422047 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.552484035 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.554333925 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.560966015 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.562638998 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.564434052 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.612353086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.635524035 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.637456894 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.642339945 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.644576073 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.647116899 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.651715040 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.651767969 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.653700113 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.658485889 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.660466909 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.662987947 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.712305069 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.733056068 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.736044884 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.740979910 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.742333889 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.744391918 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.749228001 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.749345064 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.751080990 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.755933046 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.758549929 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.760426044 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.808362007 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.831633091 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.834080935 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.839010000 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.839793921 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.841881990 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.846584082 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.846745014 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.848752022 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.853693008 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.855983019 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.858195066 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.904381990 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.929795980 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.932041883 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.936920881 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.937194109 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.939160109 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.944314003 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.946288109 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:19.953691959 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:19.956196070 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.004626989 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.027553082 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.030019045 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.034610987 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.034842968 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.037326097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.041877031 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.041939020 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.043694973 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.048448086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.049057961 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 02:52:20.051692009 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.053457975 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.100478888 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.125202894 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.128268957 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.132757902 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.133121967 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.134725094 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.139122963 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.139185905 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.140906096 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.145678043 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.148986101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.150808096 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.196351051 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.223491907 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.226310968 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.230227947 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.231115103 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.232753038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.236377954 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.236454964 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.238673925 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.243542910 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.246458054 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.248836994 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.296344042 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.320844889 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.323061943 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.327867985 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.328141928 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.333722115 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.334201097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.334274054 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.336628914 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.341459990 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.344331026 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.346472979 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.392359972 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.418549061 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.424818039 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.424904108 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.425792933 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.427294016 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.430685043 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.432143927 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.434591055 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.434628963 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.434690952 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.436686039 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.436801910 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.441618919 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.515578985 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.518821001 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.525196075 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.527673006 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.532193899 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.534775019 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.536340952 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.536396980 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.536410093 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.536442041 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.538358927 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.538583040 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.543183088 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.584363937 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.622868061 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.625483036 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.627012968 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.630393028 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.630990982 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.633840084 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.633913040 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.636549950 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.638762951 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.638801098 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.638835907 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.638865948 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.641577959 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.642626047 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.646359921 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.688302994 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.726486921 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.728969097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.729288101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.731470108 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.733851910 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.736388922 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.737109900 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.739546061 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.741792917 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.741851091 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.741864920 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.741904020 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.744152069 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.744220972 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.748974085 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.792310953 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.829340935 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.829358101 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.829435110 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.832524061 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.832972050 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.837387085 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.837829113 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.839703083 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.841891050 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.848227024 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.848244905 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.848289013 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.851227045 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.851454020 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.856261969 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.933573961 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.933592081 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.933631897 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.937004089 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.937685966 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.942568064 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.946772099 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.949052095 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.952008963 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.952045918 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:20.952064037 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.952091932 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.955852985 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.957405090 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:20.960783005 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.004312992 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.037626982 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.037664890 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.037822008 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.040539026 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.040539026 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.045552015 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.051448107 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.053581953 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.057538033 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.057590961 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.057622910 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.057645082 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.059665918 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.059772968 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.064589024 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.108305931 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.139221907 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.139257908 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.139328003 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.148827076 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.149135113 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.153675079 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.153999090 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.155294895 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.158942938 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.160080910 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.160115957 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.160150051 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.160178900 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.168134928 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.170072079 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.173022985 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.216348886 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.249309063 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.249347925 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.249417067 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.252202034 CET	49673	443	192.168.2.9	204.79.197.203
Jan 15, 2025 02:52:21.253084898 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.254925966 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.258022070 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.259843111 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.263855934 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.269100904 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.269145966 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.269177914 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.299375057 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.300530910 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.301441908 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.305432081 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.352340937 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.353880882 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.353924036 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.353976965 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.357359886 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.357490063 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.364092112 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.364124060 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.401866913 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.401885986 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.401901960 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.401938915 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.404618979 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.404684067 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.410617113 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.444407940 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.446995020 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.456772089 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.456813097 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.456864119 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.459628105 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.459866047 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.471566916 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.504360914 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.504435062 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.504730940 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.507486105 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.507550001 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.512769938 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.547497034 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.549467087 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.565072060 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.565090895 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.565205097 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.567408085 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.594928980 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.607558966 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.607584000 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.607651949 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.613410950 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.617819071 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.618824005 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.622740030 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.647555113 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.647573948 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.647628069 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.650095940 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.665568113 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.665590048 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.665606976 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.665637970 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.668186903 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.713406086 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.715934038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.715971947 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.716006041 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.716018915 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.716039896 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.716063976 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.717865944 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.722759962 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.738122940 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.738195896 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.738392115 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.740247011 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.756048918 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.758368015 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.804505110 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.806612968 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.817270041 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.817282915 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.817368984 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.853998899 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.857872009 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:21.907849073 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:21.955291986 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.026916981 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.027086973 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.028251886 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.028279066 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.031857967 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.031944990 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.033121109 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.033169985 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.124991894 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.127934933 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.127948999 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.127988100 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.174002886 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:22.218573093 CET	443	49706	13.107.246.45	192.168.2.9
Jan 15, 2025 02:52:22.267760038 CET	49706	443	192.168.2.9	13.107.246.45
Jan 15, 2025 02:52:23.349293947 CET	49707	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:23.354109049 CET	80	49707	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:23.354242086 CET	49707	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:23.355256081 CET	49707	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:23.360049963 CET	80	49707	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:23.829896927 CET	80	49707	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:23.830835104 CET	80	49707	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:23.831069946 CET	49707	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:23.834391117 CET	49707	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:23.839153051 CET	80	49707	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:24.772785902 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:24.777787924 CET	80	49708	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:24.777869940 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:24.778357029 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:24.783232927 CET	80	49708	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:25.323154926 CET	80	49708	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:25.323206902 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.323298931 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.324529886 CET	80	49708	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:25.324965954 CET	49708	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.328078032 CET	80	49708	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:25.417774916 CET	49709	445	192.168.2.9	105.132.39.209
Jan 15, 2025 02:52:25.423158884 CET	445	49709	105.132.39.209	192.168.2.9
Jan 15, 2025 02:52:25.423230886 CET	49709	445	192.168.2.9	105.132.39.209
Jan 15, 2025 02:52:25.423264980 CET	49709	445	192.168.2.9	105.132.39.209
Jan 15, 2025 02:52:25.423512936 CET	49710	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.428909063 CET	445	49709	105.132.39.209	192.168.2.9
Jan 15, 2025 02:52:25.429016113 CET	49709	445	192.168.2.9	105.132.39.209
Jan 15, 2025 02:52:25.429316998 CET	445	49710	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:25.429405928 CET	49710	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.429435968 CET	49710	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.434323072 CET	445	49710	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:25.434389114 CET	49710	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.434387922 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.439153910 CET	445	49711	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:25.439210892 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.439290047 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:25.444020033 CET	445	49711	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:25.606206894 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.611053944 CET	80	49716	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:25.611129999 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.611505985 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:25.616353035 CET	80	49716	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:26.107903957 CET	80	49716	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:26.108154058 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:26.108238935 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:26.109081984 CET	80	49716	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:26.109150887 CET	49716	80	192.168.2.9	104.16.166.228
Jan 15, 2025 02:52:26.114145041 CET	80	49716	104.16.166.228	192.168.2.9
Jan 15, 2025 02:52:26.736543894 CET	49676	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:26.736546993 CET	49675	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:26.986526012 CET	49674	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:27.418309927 CET	49735	445	192.168.2.9	40.90.175.78
Jan 15, 2025 02:52:27.423130035 CET	445	49735	40.90.175.78	192.168.2.9
Jan 15, 2025 02:52:27.423557997 CET	49735	445	192.168.2.9	40.90.175.78
Jan 15, 2025 02:52:27.423883915 CET	49735	445	192.168.2.9	40.90.175.78
Jan 15, 2025 02:52:27.424065113 CET	49736	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.428890944 CET	445	49735	40.90.175.78	192.168.2.9
Jan 15, 2025 02:52:27.428908110 CET	445	49736	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:27.428978920 CET	49735	445	192.168.2.9	40.90.175.78
Jan 15, 2025 02:52:27.428978920 CET	49736	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.432312012 CET	49736	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.437169075 CET	445	49736	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:27.439982891 CET	49736	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.535355091 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.540189028 CET	445	49737	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:27.541874886 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.554018974 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:27.558825016 CET	445	49737	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:27.983530998 CET	445	49711	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:27.983583927 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:27.983644962 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:27.983764887 CET	49711	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:27.988478899 CET	445	49711	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:27.988528013 CET	445	49711	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:28.639787912 CET	443	49704	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:28.640054941 CET	49704	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:29.425481081 CET	49759	445	192.168.2.9	31.13.181.20
Jan 15, 2025 02:52:29.430324078 CET	445	49759	31.13.181.20	192.168.2.9
Jan 15, 2025 02:52:29.430414915 CET	49759	445	192.168.2.9	31.13.181.20
Jan 15, 2025 02:52:29.430440903 CET	49759	445	192.168.2.9	31.13.181.20
Jan 15, 2025 02:52:29.431019068 CET	49760	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.435370922 CET	445	49759	31.13.181.20	192.168.2.9
Jan 15, 2025 02:52:29.435427904 CET	49759	445	192.168.2.9	31.13.181.20
Jan 15, 2025 02:52:29.435789108 CET	445	49760	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:29.436013937 CET	49760	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.436013937 CET	49760	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.437156916 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.440915108 CET	445	49760	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:29.441827059 CET	49760	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.442028046 CET	445	49761	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:29.442095995 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.442152977 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:29.447510958 CET	445	49761	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:29.658739090 CET	49677	443	192.168.2.9	20.189.173.11
Jan 15, 2025 02:52:30.987934113 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:30.994421959 CET	445	49776	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:30.994484901 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:30.995376110 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:31.001789093 CET	445	49776	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:31.441381931 CET	49782	445	192.168.2.9	103.231.236.111
Jan 15, 2025 02:52:31.446177959 CET	445	49782	103.231.236.111	192.168.2.9
Jan 15, 2025 02:52:31.446271896 CET	49782	445	192.168.2.9	103.231.236.111
Jan 15, 2025 02:52:31.446413040 CET	49782	445	192.168.2.9	103.231.236.111
Jan 15, 2025 02:52:31.446513891 CET	49783	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.451250076 CET	445	49782	103.231.236.111	192.168.2.9
Jan 15, 2025 02:52:31.451261044 CET	445	49783	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:31.451338053 CET	49782	445	192.168.2.9	103.231.236.111
Jan 15, 2025 02:52:31.451349974 CET	49783	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.451396942 CET	49783	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.452630043 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.456238031 CET	445	49783	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:31.456334114 CET	49783	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.457396030 CET	445	49784	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:31.457463026 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.457504988 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:31.462241888 CET	445	49784	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:32.783510923 CET	445	49776	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:32.783648014 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:32.783648014 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:32.783797026 CET	49776	445	192.168.2.9	105.132.39.1
Jan 15, 2025 02:52:32.788428068 CET	445	49776	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:32.788558960 CET	445	49776	105.132.39.1	192.168.2.9
Jan 15, 2025 02:52:32.847336054 CET	49800	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.853912115 CET	445	49800	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:32.854029894 CET	49800	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.854029894 CET	49800	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.854909897 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.858946085 CET	445	49800	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:32.858994961 CET	49800	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.859648943 CET	445	49802	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:32.859709978 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.859791994 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:32.865262032 CET	445	49802	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:33.467077971 CET	49808	445	192.168.2.9	9.126.239.96
Jan 15, 2025 02:52:33.471961021 CET	445	49808	9.126.239.96	192.168.2.9
Jan 15, 2025 02:52:33.472281933 CET	49808	445	192.168.2.9	9.126.239.96
Jan 15, 2025 02:52:33.475327015 CET	49808	445	192.168.2.9	9.126.239.96
Jan 15, 2025 02:52:33.475543022 CET	49809	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.480098009 CET	445	49808	9.126.239.96	192.168.2.9
Jan 15, 2025 02:52:33.480155945 CET	49808	445	192.168.2.9	9.126.239.96
Jan 15, 2025 02:52:33.480365038 CET	445	49809	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:33.480458975 CET	49809	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.484072924 CET	49809	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.488889933 CET	445	49809	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:33.489032030 CET	49809	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.520534039 CET	445	49784	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:33.520592928 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:33.520677090 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:33.520741940 CET	49784	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:33.524580956 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.525402069 CET	445	49784	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:33.525451899 CET	445	49784	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:33.529356956 CET	445	49811	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:33.529614925 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.536551952 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:33.541280985 CET	445	49811	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:35.472421885 CET	49832	445	192.168.2.9	78.233.46.189
Jan 15, 2025 02:52:35.477309942 CET	445	49832	78.233.46.189	192.168.2.9
Jan 15, 2025 02:52:35.477528095 CET	49832	445	192.168.2.9	78.233.46.189
Jan 15, 2025 02:52:35.477773905 CET	49833	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.477773905 CET	49832	445	192.168.2.9	78.233.46.189
Jan 15, 2025 02:52:35.482660055 CET	445	49833	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:35.482676983 CET	445	49832	78.233.46.189	192.168.2.9
Jan 15, 2025 02:52:35.482734919 CET	49833	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.482749939 CET	49833	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.482764959 CET	49832	445	192.168.2.9	78.233.46.189
Jan 15, 2025 02:52:35.483885050 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.487663031 CET	445	49833	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:35.487845898 CET	49833	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.488795996 CET	445	49834	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:35.488883972 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.488930941 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:35.493752956 CET	445	49834	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:36.533832073 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:36.539247990 CET	445	49846	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:36.539824009 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:36.539824009 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:36.545312881 CET	445	49846	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:37.486952066 CET	49858	445	192.168.2.9	201.22.142.37
Jan 15, 2025 02:52:37.491852999 CET	445	49858	201.22.142.37	192.168.2.9
Jan 15, 2025 02:52:37.491981030 CET	49858	445	192.168.2.9	201.22.142.37
Jan 15, 2025 02:52:37.491981983 CET	49858	445	192.168.2.9	201.22.142.37
Jan 15, 2025 02:52:37.492417097 CET	49859	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.497035980 CET	445	49858	201.22.142.37	192.168.2.9
Jan 15, 2025 02:52:37.497322083 CET	49858	445	192.168.2.9	201.22.142.37
Jan 15, 2025 02:52:37.497395039 CET	445	49859	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:37.497500896 CET	49859	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.497580051 CET	49859	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.497889042 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.502410889 CET	445	49859	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:37.502480030 CET	49859	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.502707005 CET	445	49860	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:37.502770901 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.502815008 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:37.507677078 CET	445	49860	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:38.585206032 CET	49704	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:38.585382938 CET	49704	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:38.585730076 CET	49875	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:38.585764885 CET	443	49875	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:38.585851908 CET	49875	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:38.586138964 CET	49875	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:38.586152077 CET	443	49875	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:38.590053082 CET	443	49704	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:38.590109110 CET	443	49704	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:38.599766970 CET	445	49846	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:38.599867105 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:38.599967003 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:38.600070953 CET	49846	445	192.168.2.9	103.231.236.1
Jan 15, 2025 02:52:38.604757071 CET	445	49846	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:38.604800940 CET	445	49846	103.231.236.1	192.168.2.9
Jan 15, 2025 02:52:38.658725977 CET	49877	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.663477898 CET	445	49877	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:38.663563013 CET	49877	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.663599968 CET	49877	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.663897991 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.668786049 CET	445	49877	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:38.668802977 CET	445	49878	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:38.668878078 CET	49877	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.668932915 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.668978930 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:38.673790932 CET	445	49878	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:39.250818014 CET	443	49875	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:39.251271963 CET	49875	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:39.502933025 CET	49887	445	192.168.2.9	98.165.245.216
Jan 15, 2025 02:52:39.507777929 CET	445	49887	98.165.245.216	192.168.2.9
Jan 15, 2025 02:52:39.507863998 CET	49887	445	192.168.2.9	98.165.245.216
Jan 15, 2025 02:52:39.507936954 CET	49887	445	192.168.2.9	98.165.245.216
Jan 15, 2025 02:52:39.508003950 CET	49888	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.512799025 CET	445	49888	98.165.245.1	192.168.2.9
Jan 15, 2025 02:52:39.512836933 CET	445	49887	98.165.245.216	192.168.2.9
Jan 15, 2025 02:52:39.512875080 CET	49888	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.512890100 CET	49888	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.512911081 CET	49887	445	192.168.2.9	98.165.245.216
Jan 15, 2025 02:52:39.513299942 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.517858028 CET	445	49888	98.165.245.1	192.168.2.9
Jan 15, 2025 02:52:39.517910957 CET	49888	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.518086910 CET	445	49889	98.165.245.1	192.168.2.9
Jan 15, 2025 02:52:39.518258095 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.518297911 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:52:39.523092031 CET	445	49889	98.165.245.1	192.168.2.9
Jan 15, 2025 02:52:40.805619955 CET	445	49878	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:40.806010008 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:40.808310986 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:40.808386087 CET	49878	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:40.813812017 CET	445	49878	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:40.813836098 CET	445	49878	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:41.518265963 CET	49909	445	192.168.2.9	136.179.52.139
Jan 15, 2025 02:52:41.523169041 CET	445	49909	136.179.52.139	192.168.2.9
Jan 15, 2025 02:52:41.523236036 CET	49909	445	192.168.2.9	136.179.52.139
Jan 15, 2025 02:52:41.523304939 CET	49909	445	192.168.2.9	136.179.52.139
Jan 15, 2025 02:52:41.523447990 CET	49910	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.528270960 CET	445	49909	136.179.52.139	192.168.2.9
Jan 15, 2025 02:52:41.528285980 CET	445	49910	136.179.52.1	192.168.2.9
Jan 15, 2025 02:52:41.528326035 CET	49909	445	192.168.2.9	136.179.52.139
Jan 15, 2025 02:52:41.528384924 CET	49910	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.528476000 CET	49910	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.528704882 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.533341885 CET	445	49910	136.179.52.1	192.168.2.9
Jan 15, 2025 02:52:41.533437014 CET	49910	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.533526897 CET	445	49911	136.179.52.1	192.168.2.9
Jan 15, 2025 02:52:41.533590078 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.533653021 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:52:41.538414001 CET	445	49911	136.179.52.1	192.168.2.9
Jan 15, 2025 02:52:43.534183025 CET	49932	445	192.168.2.9	65.24.132.228
Jan 15, 2025 02:52:43.637960911 CET	445	49932	65.24.132.228	192.168.2.9
Jan 15, 2025 02:52:43.638122082 CET	49932	445	192.168.2.9	65.24.132.228
Jan 15, 2025 02:52:43.638247967 CET	49932	445	192.168.2.9	65.24.132.228
Jan 15, 2025 02:52:43.638544083 CET	49934	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.643342018 CET	445	49934	65.24.132.1	192.168.2.9
Jan 15, 2025 02:52:43.643465996 CET	49934	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.646872997 CET	49934	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.647269011 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.648382902 CET	445	49932	65.24.132.228	192.168.2.9
Jan 15, 2025 02:52:43.652086020 CET	445	49935	65.24.132.1	192.168.2.9
Jan 15, 2025 02:52:43.652153015 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.652195930 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.652251005 CET	445	49934	65.24.132.1	192.168.2.9
Jan 15, 2025 02:52:43.654763937 CET	445	49932	65.24.132.228	192.168.2.9
Jan 15, 2025 02:52:43.654815912 CET	49932	445	192.168.2.9	65.24.132.228
Jan 15, 2025 02:52:43.656096935 CET	445	49934	65.24.132.1	192.168.2.9
Jan 15, 2025 02:52:43.656353951 CET	49934	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:52:43.657021999 CET	445	49935	65.24.132.1	192.168.2.9
Jan 15, 2025 02:52:43.815171957 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:43.820058107 CET	445	49938	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:43.820240974 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:43.820353031 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:43.825057030 CET	445	49938	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:45.549845934 CET	49958	445	192.168.2.9	54.65.187.164
Jan 15, 2025 02:52:45.554692984 CET	445	49958	54.65.187.164	192.168.2.9
Jan 15, 2025 02:52:45.554781914 CET	49958	445	192.168.2.9	54.65.187.164
Jan 15, 2025 02:52:45.554827929 CET	49958	445	192.168.2.9	54.65.187.164
Jan 15, 2025 02:52:45.555264950 CET	49959	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.559704065 CET	445	49958	54.65.187.164	192.168.2.9
Jan 15, 2025 02:52:45.560128927 CET	445	49959	54.65.187.1	192.168.2.9
Jan 15, 2025 02:52:45.560396910 CET	49959	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.560396910 CET	49959	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.560430050 CET	49958	445	192.168.2.9	54.65.187.164
Jan 15, 2025 02:52:45.561244965 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.565309048 CET	445	49959	54.65.187.1	192.168.2.9
Jan 15, 2025 02:52:45.565370083 CET	49959	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.566008091 CET	445	49960	54.65.187.1	192.168.2.9
Jan 15, 2025 02:52:45.566096067 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.566096067 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:52:45.570882082 CET	445	49960	54.65.187.1	192.168.2.9
Jan 15, 2025 02:52:45.883645058 CET	445	49938	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:45.883833885 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:45.883884907 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:45.883923054 CET	49938	445	192.168.2.9	103.231.236.2
Jan 15, 2025 02:52:45.889441967 CET	445	49938	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:45.889986992 CET	445	49938	103.231.236.2	192.168.2.9
Jan 15, 2025 02:52:45.940048933 CET	49964	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.944960117 CET	445	49964	103.231.236.3	192.168.2.9
Jan 15, 2025 02:52:45.946247101 CET	49964	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.946621895 CET	49964	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.946729898 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.951450109 CET	445	49964	103.231.236.3	192.168.2.9
Jan 15, 2025 02:52:45.951493979 CET	445	49965	103.231.236.3	192.168.2.9
Jan 15, 2025 02:52:45.951560020 CET	49964	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.951597929 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.951617002 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:52:45.956387043 CET	445	49965	103.231.236.3	192.168.2.9
Jan 15, 2025 02:52:47.570622921 CET	49983	445	192.168.2.9	173.7.196.94
Jan 15, 2025 02:52:47.575413942 CET	445	49983	173.7.196.94	192.168.2.9
Jan 15, 2025 02:52:47.575562000 CET	49983	445	192.168.2.9	173.7.196.94
Jan 15, 2025 02:52:47.575562000 CET	49983	445	192.168.2.9	173.7.196.94
Jan 15, 2025 02:52:47.575817108 CET	49984	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.580600023 CET	445	49983	173.7.196.94	192.168.2.9
Jan 15, 2025 02:52:47.580615997 CET	445	49984	173.7.196.1	192.168.2.9
Jan 15, 2025 02:52:47.580697060 CET	49983	445	192.168.2.9	173.7.196.94
Jan 15, 2025 02:52:47.580725908 CET	49984	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.582055092 CET	49984	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.586980104 CET	445	49984	173.7.196.1	192.168.2.9
Jan 15, 2025 02:52:47.587054968 CET	49984	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.587753057 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.592632055 CET	445	49985	173.7.196.1	192.168.2.9
Jan 15, 2025 02:52:47.592710018 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.592749119 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:52:47.597560883 CET	445	49985	173.7.196.1	192.168.2.9
Jan 15, 2025 02:52:48.918786049 CET	445	49737	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:48.918905973 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:48.919018984 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:48.919087887 CET	49737	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:48.925718069 CET	445	49737	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:48.925730944 CET	445	49737	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:49.580811024 CET	50008	445	192.168.2.9	132.224.47.164
Jan 15, 2025 02:52:49.585711002 CET	445	50008	132.224.47.164	192.168.2.9
Jan 15, 2025 02:52:49.585793972 CET	50008	445	192.168.2.9	132.224.47.164
Jan 15, 2025 02:52:49.585856915 CET	50008	445	192.168.2.9	132.224.47.164
Jan 15, 2025 02:52:49.585963011 CET	50009	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.590800047 CET	445	50009	132.224.47.1	192.168.2.9
Jan 15, 2025 02:52:49.590812922 CET	445	50008	132.224.47.164	192.168.2.9
Jan 15, 2025 02:52:49.590904951 CET	50008	445	192.168.2.9	132.224.47.164
Jan 15, 2025 02:52:49.590946913 CET	50009	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.590946913 CET	50009	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.591336966 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.596015930 CET	445	50009	132.224.47.1	192.168.2.9
Jan 15, 2025 02:52:49.596074104 CET	50009	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.596092939 CET	445	50010	132.224.47.1	192.168.2.9
Jan 15, 2025 02:52:49.596196890 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.596196890 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:52:49.601052999 CET	445	50010	132.224.47.1	192.168.2.9
Jan 15, 2025 02:52:50.809964895 CET	445	49761	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:50.810050011 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:50.810117960 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:50.810195923 CET	49761	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:50.814889908 CET	445	49761	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:50.815030098 CET	445	49761	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:51.596813917 CET	50019	445	192.168.2.9	190.228.30.247
Jan 15, 2025 02:52:51.602000952 CET	445	50019	190.228.30.247	192.168.2.9
Jan 15, 2025 02:52:51.602138996 CET	50019	445	192.168.2.9	190.228.30.247
Jan 15, 2025 02:52:51.602385044 CET	50019	445	192.168.2.9	190.228.30.247
Jan 15, 2025 02:52:51.602567911 CET	50020	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.607637882 CET	445	50019	190.228.30.247	192.168.2.9
Jan 15, 2025 02:52:51.607698917 CET	50019	445	192.168.2.9	190.228.30.247
Jan 15, 2025 02:52:51.607808113 CET	445	50020	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:51.607876062 CET	50020	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.607973099 CET	50020	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.608351946 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.613183022 CET	445	50020	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:51.613240004 CET	50020	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.613503933 CET	445	50021	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:51.613574028 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.613607883 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:51.618370056 CET	445	50021	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:51.924452066 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:51.929285049 CET	445	50022	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:51.929433107 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:51.929455042 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:52:51.934262037 CET	445	50022	40.90.175.1	192.168.2.9
Jan 15, 2025 02:52:53.402380943 CET	445	50021	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:53.402524948 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:53.402548075 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:53.402614117 CET	50021	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:53.408253908 CET	445	50021	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:53.408267975 CET	445	50021	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:53.612123966 CET	50023	445	192.168.2.9	89.64.173.253
Jan 15, 2025 02:52:53.617307901 CET	445	50023	89.64.173.253	192.168.2.9
Jan 15, 2025 02:52:53.617415905 CET	50023	445	192.168.2.9	89.64.173.253
Jan 15, 2025 02:52:53.617435932 CET	50023	445	192.168.2.9	89.64.173.253
Jan 15, 2025 02:52:53.617541075 CET	50024	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.622741938 CET	445	50024	89.64.173.1	192.168.2.9
Jan 15, 2025 02:52:53.622756004 CET	445	50023	89.64.173.253	192.168.2.9
Jan 15, 2025 02:52:53.622828960 CET	50023	445	192.168.2.9	89.64.173.253
Jan 15, 2025 02:52:53.622828960 CET	50024	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.623177052 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.628201008 CET	445	50024	89.64.173.1	192.168.2.9
Jan 15, 2025 02:52:53.628269911 CET	50024	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.628300905 CET	445	50025	89.64.173.1	192.168.2.9
Jan 15, 2025 02:52:53.628364086 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.628401041 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:52:53.633518934 CET	445	50025	89.64.173.1	192.168.2.9
Jan 15, 2025 02:52:53.815334082 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:53.820220947 CET	445	50026	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:53.820368052 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:53.820527077 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:52:53.825340986 CET	445	50026	31.13.181.1	192.168.2.9
Jan 15, 2025 02:52:54.235461950 CET	445	49802	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:54.235601902 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:54.235866070 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:54.236129045 CET	49802	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:54.241611004 CET	445	49802	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:54.241621971 CET	445	49802	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:54.907080889 CET	445	49811	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:54.907202005 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:54.907411098 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:54.907677889 CET	49811	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:54.912271023 CET	445	49811	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:54.912520885 CET	445	49811	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:55.627927065 CET	50027	445	192.168.2.9	130.175.80.195
Jan 15, 2025 02:52:55.632850885 CET	445	50027	130.175.80.195	192.168.2.9
Jan 15, 2025 02:52:55.632965088 CET	50027	445	192.168.2.9	130.175.80.195
Jan 15, 2025 02:52:55.632981062 CET	50027	445	192.168.2.9	130.175.80.195
Jan 15, 2025 02:52:55.633073092 CET	50028	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.637929916 CET	445	50028	130.175.80.1	192.168.2.9
Jan 15, 2025 02:52:55.638039112 CET	445	50027	130.175.80.195	192.168.2.9
Jan 15, 2025 02:52:55.638077974 CET	50028	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.638077974 CET	50028	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.638129950 CET	50027	445	192.168.2.9	130.175.80.195
Jan 15, 2025 02:52:55.638261080 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.643074989 CET	445	50028	130.175.80.1	192.168.2.9
Jan 15, 2025 02:52:55.643129110 CET	445	50029	130.175.80.1	192.168.2.9
Jan 15, 2025 02:52:55.643138885 CET	50028	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.643203974 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.643260956 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:52:55.648066998 CET	445	50029	130.175.80.1	192.168.2.9
Jan 15, 2025 02:52:56.408649921 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:56.413549900 CET	445	50030	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:56.413633108 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:56.413702965 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:56.418500900 CET	445	50030	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:56.872665882 CET	445	49834	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:56.872766972 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:56.872884035 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:56.873078108 CET	49834	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:56.877839088 CET	445	49834	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:56.877970934 CET	445	49834	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:57.236874104 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:57.241794109 CET	445	50031	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:57.241893053 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:57.242032051 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:52:57.246916056 CET	445	50031	105.132.39.2	192.168.2.9
Jan 15, 2025 02:52:57.643309116 CET	50032	445	192.168.2.9	158.170.93.248
Jan 15, 2025 02:52:57.648222923 CET	445	50032	158.170.93.248	192.168.2.9
Jan 15, 2025 02:52:57.648359060 CET	50032	445	192.168.2.9	158.170.93.248
Jan 15, 2025 02:52:57.648376942 CET	50032	445	192.168.2.9	158.170.93.248
Jan 15, 2025 02:52:57.648564100 CET	50033	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.653279066 CET	445	50032	158.170.93.248	192.168.2.9
Jan 15, 2025 02:52:57.653343916 CET	50032	445	192.168.2.9	158.170.93.248
Jan 15, 2025 02:52:57.653407097 CET	445	50033	158.170.93.1	192.168.2.9
Jan 15, 2025 02:52:57.653486967 CET	50033	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.653486967 CET	50033	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.653779030 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.658432961 CET	445	50033	158.170.93.1	192.168.2.9
Jan 15, 2025 02:52:57.658525944 CET	445	50034	158.170.93.1	192.168.2.9
Jan 15, 2025 02:52:57.658562899 CET	50033	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.658663034 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.658688068 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:52:57.663474083 CET	445	50034	158.170.93.1	192.168.2.9
Jan 15, 2025 02:52:57.908770084 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:57.913667917 CET	445	50035	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:57.913758039 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:57.913985968 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:52:57.918911934 CET	445	50035	9.126.239.1	192.168.2.9
Jan 15, 2025 02:52:58.304084063 CET	445	50030	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:58.304204941 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:58.304258108 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:58.304307938 CET	50030	445	192.168.2.9	190.228.30.1
Jan 15, 2025 02:52:58.309106112 CET	445	50030	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:58.309114933 CET	445	50030	190.228.30.1	192.168.2.9
Jan 15, 2025 02:52:58.361973047 CET	50036	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.366838932 CET	445	50036	190.228.30.2	192.168.2.9
Jan 15, 2025 02:52:58.366936922 CET	50036	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.366981030 CET	50036	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.367247105 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.371957064 CET	445	50036	190.228.30.2	192.168.2.9
Jan 15, 2025 02:52:58.371995926 CET	445	50037	190.228.30.2	192.168.2.9
Jan 15, 2025 02:52:58.372050047 CET	50036	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.372112989 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.372112989 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:52:58.376869917 CET	445	50037	190.228.30.2	192.168.2.9
Jan 15, 2025 02:52:58.430555105 CET	443	49875	23.206.229.209	192.168.2.9
Jan 15, 2025 02:52:58.430712938 CET	49875	443	192.168.2.9	23.206.229.209
Jan 15, 2025 02:52:58.893416882 CET	445	49860	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:58.893543959 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:58.893591881 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:58.893610001 CET	49860	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:52:58.898473978 CET	445	49860	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:58.898484945 CET	445	49860	201.22.142.1	192.168.2.9
Jan 15, 2025 02:52:59.659334898 CET	50038	445	192.168.2.9	185.92.212.192
Jan 15, 2025 02:52:59.664163113 CET	445	50038	185.92.212.192	192.168.2.9
Jan 15, 2025 02:52:59.664355993 CET	50038	445	192.168.2.9	185.92.212.192
Jan 15, 2025 02:52:59.664489985 CET	50038	445	192.168.2.9	185.92.212.192
Jan 15, 2025 02:52:59.664885998 CET	50039	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.669395924 CET	445	50038	185.92.212.192	192.168.2.9
Jan 15, 2025 02:52:59.669490099 CET	50038	445	192.168.2.9	185.92.212.192
Jan 15, 2025 02:52:59.669672012 CET	445	50039	185.92.212.1	192.168.2.9
Jan 15, 2025 02:52:59.669759035 CET	50039	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.669869900 CET	50039	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.670293093 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.674668074 CET	445	50039	185.92.212.1	192.168.2.9
Jan 15, 2025 02:52:59.674747944 CET	50039	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.675120115 CET	445	50040	185.92.212.1	192.168.2.9
Jan 15, 2025 02:52:59.675226927 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.675317049 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:52:59.680032015 CET	445	50040	185.92.212.1	192.168.2.9
Jan 15, 2025 02:52:59.878009081 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:59.882925987 CET	445	50041	78.233.46.1	192.168.2.9
Jan 15, 2025 02:52:59.883111000 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:59.883111000 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:52:59.887942076 CET	445	50041	78.233.46.1	192.168.2.9
Jan 15, 2025 02:53:00.891074896 CET	445	49889	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:00.891278982 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:00.891349077 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:00.891468048 CET	49889	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:00.896125078 CET	445	49889	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:00.896269083 CET	445	49889	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:01.452058077 CET	445	50040	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:01.452321053 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:01.452321053 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:01.453897953 CET	50040	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:01.457119942 CET	445	50040	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:01.458692074 CET	445	50040	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:01.541158915 CET	50042	445	192.168.2.9	159.48.29.38
Jan 15, 2025 02:53:01.546911001 CET	445	50042	159.48.29.38	192.168.2.9
Jan 15, 2025 02:53:01.547012091 CET	50042	445	192.168.2.9	159.48.29.38
Jan 15, 2025 02:53:01.550546885 CET	50042	445	192.168.2.9	159.48.29.38
Jan 15, 2025 02:53:01.550717115 CET	50043	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.555412054 CET	445	50042	159.48.29.38	192.168.2.9
Jan 15, 2025 02:53:01.555476904 CET	50042	445	192.168.2.9	159.48.29.38
Jan 15, 2025 02:53:01.555532932 CET	445	50043	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:01.555598974 CET	50043	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.559390068 CET	50043	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.559600115 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.564274073 CET	445	50043	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:01.564353943 CET	50043	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.564390898 CET	445	50044	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:01.564462900 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.564523935 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:01.569336891 CET	445	50044	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:01.913125038 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:01.919991970 CET	445	50045	201.22.142.1	192.168.2.9
Jan 15, 2025 02:53:01.920109034 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:01.921658039 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:01.927834988 CET	445	50045	201.22.142.1	192.168.2.9
Jan 15, 2025 02:53:02.908799887 CET	445	49911	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:02.909570932 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:02.909593105 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:02.909629107 CET	49911	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:02.914406061 CET	445	49911	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:02.914417028 CET	445	49911	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:03.284135103 CET	50046	445	192.168.2.9	152.242.192.71
Jan 15, 2025 02:53:03.289031982 CET	445	50046	152.242.192.71	192.168.2.9
Jan 15, 2025 02:53:03.289134026 CET	50046	445	192.168.2.9	152.242.192.71
Jan 15, 2025 02:53:03.289171934 CET	50046	445	192.168.2.9	152.242.192.71
Jan 15, 2025 02:53:03.289391994 CET	50047	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.294112921 CET	445	50046	152.242.192.71	192.168.2.9
Jan 15, 2025 02:53:03.294209957 CET	50046	445	192.168.2.9	152.242.192.71
Jan 15, 2025 02:53:03.294261932 CET	445	50047	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:03.294398069 CET	50047	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.294553995 CET	50047	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.294816971 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.299426079 CET	445	50047	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:03.299566984 CET	445	50048	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:03.299568892 CET	50047	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.299662113 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.299662113 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:03.304497004 CET	445	50048	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:03.893071890 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:03.897998095 CET	445	50049	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:03.898179054 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:03.898180008 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:03.903033018 CET	445	50049	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:04.455638885 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:04.460495949 CET	445	50050	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:04.460632086 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:04.464346886 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:04.469089985 CET	445	50050	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:04.924931049 CET	50051	445	192.168.2.9	86.133.180.111
Jan 15, 2025 02:53:04.929723024 CET	445	50051	86.133.180.111	192.168.2.9
Jan 15, 2025 02:53:04.929932117 CET	50051	445	192.168.2.9	86.133.180.111
Jan 15, 2025 02:53:04.929932117 CET	50051	445	192.168.2.9	86.133.180.111
Jan 15, 2025 02:53:04.930206060 CET	50052	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.934922934 CET	445	50051	86.133.180.111	192.168.2.9
Jan 15, 2025 02:53:04.934989929 CET	445	50052	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:04.935127974 CET	50052	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.935157061 CET	50051	445	192.168.2.9	86.133.180.111
Jan 15, 2025 02:53:04.935276031 CET	50052	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.936209917 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.940193892 CET	445	50052	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:04.940285921 CET	50052	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.941046953 CET	445	50053	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:04.941217899 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.941262960 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:04.946024895 CET	445	50053	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:05.030087948 CET	445	49935	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:05.030210972 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:05.030302048 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:05.030426979 CET	49935	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:05.035116911 CET	445	49935	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:05.035164118 CET	445	49935	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:05.924345970 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:06.056099892 CET	445	50054	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:06.056241989 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:06.056353092 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:06.061193943 CET	445	50054	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:06.216782093 CET	445	50050	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:06.216909885 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:06.216979980 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:06.217104912 CET	50050	445	192.168.2.9	185.92.212.1
Jan 15, 2025 02:53:06.221744061 CET	445	50050	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:06.221911907 CET	445	50050	185.92.212.1	192.168.2.9
Jan 15, 2025 02:53:06.268161058 CET	50055	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.273066044 CET	445	50055	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:06.273149967 CET	50055	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.273192883 CET	50055	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.273514032 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.278198957 CET	445	50055	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:06.278294086 CET	50055	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.278301001 CET	445	50056	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:06.278373003 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.278373003 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:06.283191919 CET	445	50056	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:06.463757038 CET	50057	445	192.168.2.9	61.53.130.209
Jan 15, 2025 02:53:06.468688965 CET	445	50057	61.53.130.209	192.168.2.9
Jan 15, 2025 02:53:06.468786001 CET	50057	445	192.168.2.9	61.53.130.209
Jan 15, 2025 02:53:06.468885899 CET	50057	445	192.168.2.9	61.53.130.209
Jan 15, 2025 02:53:06.469086885 CET	50058	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.473782063 CET	445	50057	61.53.130.209	192.168.2.9
Jan 15, 2025 02:53:06.473831892 CET	50057	445	192.168.2.9	61.53.130.209
Jan 15, 2025 02:53:06.473880053 CET	445	50058	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:06.473944902 CET	50058	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.474046946 CET	50058	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.474720955 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.478873014 CET	445	50058	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:06.478929043 CET	50058	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.479572058 CET	445	50059	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:06.479660988 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.479697943 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:06.484587908 CET	445	50059	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:06.955976963 CET	445	49960	54.65.187.1	192.168.2.9
Jan 15, 2025 02:53:06.956131935 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:06.956131935 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:06.956212997 CET	49960	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:06.960992098 CET	445	49960	54.65.187.1	192.168.2.9
Jan 15, 2025 02:53:06.961009026 CET	445	49960	54.65.187.1	192.168.2.9
Jan 15, 2025 02:53:07.309458017 CET	445	49965	103.231.236.3	192.168.2.9
Jan 15, 2025 02:53:07.309611082 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:07.309711933 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:07.309755087 CET	49965	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:07.314527035 CET	445	49965	103.231.236.3	192.168.2.9
Jan 15, 2025 02:53:07.314539909 CET	445	49965	103.231.236.3	192.168.2.9
Jan 15, 2025 02:53:07.893270969 CET	50060	445	192.168.2.9	113.88.91.46
Jan 15, 2025 02:53:07.900085926 CET	445	50060	113.88.91.46	192.168.2.9
Jan 15, 2025 02:53:07.900191069 CET	50060	445	192.168.2.9	113.88.91.46
Jan 15, 2025 02:53:07.900294065 CET	50060	445	192.168.2.9	113.88.91.46
Jan 15, 2025 02:53:07.900664091 CET	50061	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.905687094 CET	445	50060	113.88.91.46	192.168.2.9
Jan 15, 2025 02:53:07.905769110 CET	50060	445	192.168.2.9	113.88.91.46
Jan 15, 2025 02:53:07.905980110 CET	445	50061	113.88.91.1	192.168.2.9
Jan 15, 2025 02:53:07.906048059 CET	50061	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.906076908 CET	50061	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.906538010 CET	50062	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.911668062 CET	445	50061	113.88.91.1	192.168.2.9
Jan 15, 2025 02:53:07.911726952 CET	50061	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.911833048 CET	445	50062	113.88.91.1	192.168.2.9
Jan 15, 2025 02:53:07.911891937 CET	50062	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.911914110 CET	50062	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:07.917097092 CET	445	50062	113.88.91.1	192.168.2.9
Jan 15, 2025 02:53:08.033922911 CET	50063	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:08.038734913 CET	445	50063	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:08.038906097 CET	50063	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:08.039084911 CET	50063	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:08.043818951 CET	445	50063	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:08.966813087 CET	445	49985	173.7.196.1	192.168.2.9
Jan 15, 2025 02:53:08.966897011 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:08.966939926 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:08.966969013 CET	49985	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:08.971791029 CET	445	49985	173.7.196.1	192.168.2.9
Jan 15, 2025 02:53:08.971821070 CET	445	49985	173.7.196.1	192.168.2.9
Jan 15, 2025 02:53:09.174321890 CET	49705	80	192.168.2.9	199.232.214.172
Jan 15, 2025 02:53:09.179302931 CET	80	49705	199.232.214.172	192.168.2.9
Jan 15, 2025 02:53:09.179366112 CET	49705	80	192.168.2.9	199.232.214.172
Jan 15, 2025 02:53:09.221381903 CET	50064	445	192.168.2.9	5.219.67.11
Jan 15, 2025 02:53:09.226269007 CET	445	50064	5.219.67.11	192.168.2.9
Jan 15, 2025 02:53:09.226351976 CET	50064	445	192.168.2.9	5.219.67.11
Jan 15, 2025 02:53:09.226351976 CET	50064	445	192.168.2.9	5.219.67.11
Jan 15, 2025 02:53:09.226432085 CET	50065	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.231230021 CET	445	50065	5.219.67.1	192.168.2.9
Jan 15, 2025 02:53:09.231290102 CET	50065	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.231298923 CET	50065	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.231445074 CET	445	50064	5.219.67.11	192.168.2.9
Jan 15, 2025 02:53:09.231487989 CET	50064	445	192.168.2.9	5.219.67.11
Jan 15, 2025 02:53:09.231586933 CET	50066	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.236223936 CET	445	50065	5.219.67.1	192.168.2.9
Jan 15, 2025 02:53:09.236278057 CET	50065	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.236469030 CET	445	50066	5.219.67.1	192.168.2.9
Jan 15, 2025 02:53:09.236526966 CET	50066	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.236584902 CET	50066	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:09.241349936 CET	445	50066	5.219.67.1	192.168.2.9
Jan 15, 2025 02:53:09.971290112 CET	50067	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:09.976198912 CET	445	50067	54.65.187.1	192.168.2.9
Jan 15, 2025 02:53:09.976274967 CET	50067	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:09.976294041 CET	50067	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:09.981107950 CET	445	50067	54.65.187.1	192.168.2.9
Jan 15, 2025 02:53:10.314997911 CET	50068	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:10.322010040 CET	445	50068	103.231.236.3	192.168.2.9
Jan 15, 2025 02:53:10.322083950 CET	50068	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:10.322104931 CET	50068	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:10.329823971 CET	445	50068	103.231.236.3	192.168.2.9
Jan 15, 2025 02:53:10.455800056 CET	50069	445	192.168.2.9	134.82.208.174
Jan 15, 2025 02:53:10.462760925 CET	445	50069	134.82.208.174	192.168.2.9
Jan 15, 2025 02:53:10.462847948 CET	50069	445	192.168.2.9	134.82.208.174
Jan 15, 2025 02:53:10.462848902 CET	50069	445	192.168.2.9	134.82.208.174
Jan 15, 2025 02:53:10.462958097 CET	50070	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.469964981 CET	445	50070	134.82.208.1	192.168.2.9
Jan 15, 2025 02:53:10.470036983 CET	50070	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.470072985 CET	50070	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.470309973 CET	50071	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.472723961 CET	445	50069	134.82.208.174	192.168.2.9
Jan 15, 2025 02:53:10.472789049 CET	50069	445	192.168.2.9	134.82.208.174
Jan 15, 2025 02:53:10.476749897 CET	445	50070	134.82.208.1	192.168.2.9
Jan 15, 2025 02:53:10.476830006 CET	50070	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.477242947 CET	445	50071	134.82.208.1	192.168.2.9
Jan 15, 2025 02:53:10.477313995 CET	50071	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.477340937 CET	50071	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:10.484431028 CET	445	50071	134.82.208.1	192.168.2.9
Jan 15, 2025 02:53:11.002751112 CET	445	50010	132.224.47.1	192.168.2.9
Jan 15, 2025 02:53:11.002835035 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:11.002916098 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:11.002916098 CET	50010	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:11.007673979 CET	445	50010	132.224.47.1	192.168.2.9
Jan 15, 2025 02:53:11.007695913 CET	445	50010	132.224.47.1	192.168.2.9
Jan 15, 2025 02:53:11.614671946 CET	50072	445	192.168.2.9	48.0.238.151
Jan 15, 2025 02:53:11.619560957 CET	445	50072	48.0.238.151	192.168.2.9
Jan 15, 2025 02:53:11.619671106 CET	50072	445	192.168.2.9	48.0.238.151
Jan 15, 2025 02:53:11.619671106 CET	50072	445	192.168.2.9	48.0.238.151
Jan 15, 2025 02:53:11.619782925 CET	50073	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.624553919 CET	445	50073	48.0.238.1	192.168.2.9
Jan 15, 2025 02:53:11.624633074 CET	50073	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.624644041 CET	445	50072	48.0.238.151	192.168.2.9
Jan 15, 2025 02:53:11.624694109 CET	50072	445	192.168.2.9	48.0.238.151
Jan 15, 2025 02:53:11.624727964 CET	50073	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.625076056 CET	50074	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.629582882 CET	445	50073	48.0.238.1	192.168.2.9
Jan 15, 2025 02:53:11.629641056 CET	50073	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.629832983 CET	445	50074	48.0.238.1	192.168.2.9
Jan 15, 2025 02:53:11.629892111 CET	50074	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.629911900 CET	50074	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:11.634717941 CET	445	50074	48.0.238.1	192.168.2.9
Jan 15, 2025 02:53:11.971265078 CET	50075	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:11.976075888 CET	445	50075	173.7.196.1	192.168.2.9
Jan 15, 2025 02:53:11.976156950 CET	50075	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:11.976176023 CET	50075	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:11.980984926 CET	445	50075	173.7.196.1	192.168.2.9
Jan 15, 2025 02:53:12.690200090 CET	50076	445	192.168.2.9	17.6.41.180
Jan 15, 2025 02:53:12.695130110 CET	445	50076	17.6.41.180	192.168.2.9
Jan 15, 2025 02:53:12.695311069 CET	50076	445	192.168.2.9	17.6.41.180
Jan 15, 2025 02:53:12.695311069 CET	50076	445	192.168.2.9	17.6.41.180
Jan 15, 2025 02:53:12.695444107 CET	50077	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.701050043 CET	445	50077	17.6.41.1	192.168.2.9
Jan 15, 2025 02:53:12.701112986 CET	50077	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.701210022 CET	445	50076	17.6.41.180	192.168.2.9
Jan 15, 2025 02:53:12.701220036 CET	445	50076	17.6.41.180	192.168.2.9
Jan 15, 2025 02:53:12.701267958 CET	50077	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.701605082 CET	50076	445	192.168.2.9	17.6.41.180
Jan 15, 2025 02:53:12.701605082 CET	50078	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.706042051 CET	445	50077	17.6.41.1	192.168.2.9
Jan 15, 2025 02:53:12.706095934 CET	50077	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.706352949 CET	445	50078	17.6.41.1	192.168.2.9
Jan 15, 2025 02:53:12.706414938 CET	50078	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.706440926 CET	50078	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:12.711235046 CET	445	50078	17.6.41.1	192.168.2.9
Jan 15, 2025 02:53:13.294763088 CET	445	50022	40.90.175.1	192.168.2.9
Jan 15, 2025 02:53:13.294866085 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:53:13.294866085 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:53:13.294934988 CET	50022	445	192.168.2.9	40.90.175.1
Jan 15, 2025 02:53:13.300358057 CET	445	50022	40.90.175.1	192.168.2.9
Jan 15, 2025 02:53:13.300369024 CET	445	50022	40.90.175.1	192.168.2.9
Jan 15, 2025 02:53:13.346223116 CET	50079	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.351504087 CET	445	50079	40.90.175.2	192.168.2.9
Jan 15, 2025 02:53:13.351571083 CET	50079	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.351582050 CET	50079	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.351824045 CET	50080	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.373033047 CET	445	50080	40.90.175.2	192.168.2.9
Jan 15, 2025 02:53:13.373147964 CET	50080	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.373147964 CET	50080	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.375818968 CET	445	50079	40.90.175.2	192.168.2.9
Jan 15, 2025 02:53:13.375869989 CET	50079	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:13.382971048 CET	445	50080	40.90.175.2	192.168.2.9
Jan 15, 2025 02:53:13.706470013 CET	50081	445	192.168.2.9	172.49.248.232
Jan 15, 2025 02:53:13.711371899 CET	445	50081	172.49.248.232	192.168.2.9
Jan 15, 2025 02:53:13.711457014 CET	50081	445	192.168.2.9	172.49.248.232
Jan 15, 2025 02:53:13.711550951 CET	50081	445	192.168.2.9	172.49.248.232
Jan 15, 2025 02:53:13.711647987 CET	50082	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.716536999 CET	445	50081	172.49.248.232	192.168.2.9
Jan 15, 2025 02:53:13.716557026 CET	445	50082	172.49.248.1	192.168.2.9
Jan 15, 2025 02:53:13.716603041 CET	50081	445	192.168.2.9	172.49.248.232
Jan 15, 2025 02:53:13.716635942 CET	50082	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.716681004 CET	50082	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.716896057 CET	50083	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.721577883 CET	445	50082	172.49.248.1	192.168.2.9
Jan 15, 2025 02:53:13.721641064 CET	445	50083	172.49.248.1	192.168.2.9
Jan 15, 2025 02:53:13.721664906 CET	50082	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.721697092 CET	50083	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.722057104 CET	50083	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:13.726849079 CET	445	50083	172.49.248.1	192.168.2.9
Jan 15, 2025 02:53:14.018241882 CET	50084	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:14.023180008 CET	445	50084	132.224.47.1	192.168.2.9
Jan 15, 2025 02:53:14.023318052 CET	50084	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:14.023318052 CET	50084	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:14.028073072 CET	445	50084	132.224.47.1	192.168.2.9
Jan 15, 2025 02:53:14.643379927 CET	50085	445	192.168.2.9	40.79.112.34
Jan 15, 2025 02:53:14.648209095 CET	445	50085	40.79.112.34	192.168.2.9
Jan 15, 2025 02:53:14.648293018 CET	50085	445	192.168.2.9	40.79.112.34
Jan 15, 2025 02:53:14.648325920 CET	50085	445	192.168.2.9	40.79.112.34
Jan 15, 2025 02:53:14.648489952 CET	50086	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.653356075 CET	445	50086	40.79.112.1	192.168.2.9
Jan 15, 2025 02:53:14.653387070 CET	445	50085	40.79.112.34	192.168.2.9
Jan 15, 2025 02:53:14.653414965 CET	50086	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.653431892 CET	50085	445	192.168.2.9	40.79.112.34
Jan 15, 2025 02:53:14.653513908 CET	50086	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.653749943 CET	50087	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.658371925 CET	445	50086	40.79.112.1	192.168.2.9
Jan 15, 2025 02:53:14.658432007 CET	50086	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.658526897 CET	445	50087	40.79.112.1	192.168.2.9
Jan 15, 2025 02:53:14.658591032 CET	50087	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.658611059 CET	50087	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:14.663408041 CET	445	50087	40.79.112.1	192.168.2.9
Jan 15, 2025 02:53:15.013345003 CET	445	50025	89.64.173.1	192.168.2.9
Jan 15, 2025 02:53:15.013489008 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:15.013545990 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:15.013545990 CET	50025	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:15.018832922 CET	445	50025	89.64.173.1	192.168.2.9
Jan 15, 2025 02:53:15.018842936 CET	445	50025	89.64.173.1	192.168.2.9
Jan 15, 2025 02:53:15.184829950 CET	445	50026	31.13.181.1	192.168.2.9
Jan 15, 2025 02:53:15.184922934 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:53:15.185045958 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:53:15.185213089 CET	50026	445	192.168.2.9	31.13.181.1
Jan 15, 2025 02:53:15.192277908 CET	445	50026	31.13.181.1	192.168.2.9
Jan 15, 2025 02:53:15.192289114 CET	445	50026	31.13.181.1	192.168.2.9
Jan 15, 2025 02:53:15.236952066 CET	50089	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.242316961 CET	445	50089	31.13.181.2	192.168.2.9
Jan 15, 2025 02:53:15.242393970 CET	50089	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.242569923 CET	50089	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.242738008 CET	50090	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.247724056 CET	445	50089	31.13.181.2	192.168.2.9
Jan 15, 2025 02:53:15.247808933 CET	50089	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.247901917 CET	445	50090	31.13.181.2	192.168.2.9
Jan 15, 2025 02:53:15.247953892 CET	50090	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.247972012 CET	50090	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:15.253206015 CET	445	50090	31.13.181.2	192.168.2.9
Jan 15, 2025 02:53:15.518400908 CET	50091	445	192.168.2.9	170.13.171.123
Jan 15, 2025 02:53:15.523222923 CET	445	50091	170.13.171.123	192.168.2.9
Jan 15, 2025 02:53:15.523339987 CET	50091	445	192.168.2.9	170.13.171.123
Jan 15, 2025 02:53:15.523531914 CET	50091	445	192.168.2.9	170.13.171.123
Jan 15, 2025 02:53:15.523691893 CET	50092	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.528525114 CET	445	50091	170.13.171.123	192.168.2.9
Jan 15, 2025 02:53:15.528568029 CET	50091	445	192.168.2.9	170.13.171.123
Jan 15, 2025 02:53:15.528764009 CET	445	50092	170.13.171.1	192.168.2.9
Jan 15, 2025 02:53:15.528825045 CET	50092	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.528877974 CET	50092	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.529072046 CET	50093	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.533788919 CET	445	50092	170.13.171.1	192.168.2.9
Jan 15, 2025 02:53:15.533835888 CET	50092	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.533880949 CET	445	50093	170.13.171.1	192.168.2.9
Jan 15, 2025 02:53:15.533931971 CET	50093	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.533998966 CET	50093	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:15.538791895 CET	445	50093	170.13.171.1	192.168.2.9
Jan 15, 2025 02:53:16.346781969 CET	50094	445	192.168.2.9	6.122.130.127
Jan 15, 2025 02:53:16.351630926 CET	445	50094	6.122.130.127	192.168.2.9
Jan 15, 2025 02:53:16.351741076 CET	50094	445	192.168.2.9	6.122.130.127
Jan 15, 2025 02:53:16.351758003 CET	50094	445	192.168.2.9	6.122.130.127
Jan 15, 2025 02:53:16.351912975 CET	50095	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.356733084 CET	445	50095	6.122.130.1	192.168.2.9
Jan 15, 2025 02:53:16.356744051 CET	445	50094	6.122.130.127	192.168.2.9
Jan 15, 2025 02:53:16.356802940 CET	50094	445	192.168.2.9	6.122.130.127
Jan 15, 2025 02:53:16.356956959 CET	50095	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.356956959 CET	50095	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.357425928 CET	50096	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.361857891 CET	445	50095	6.122.130.1	192.168.2.9
Jan 15, 2025 02:53:16.361913919 CET	50095	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.362241030 CET	445	50096	6.122.130.1	192.168.2.9
Jan 15, 2025 02:53:16.362297058 CET	50096	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.362332106 CET	50096	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:16.367110968 CET	445	50096	6.122.130.1	192.168.2.9
Jan 15, 2025 02:53:16.997684002 CET	445	50029	130.175.80.1	192.168.2.9
Jan 15, 2025 02:53:16.997786999 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:16.997868061 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:16.997934103 CET	50029	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:17.002739906 CET	445	50029	130.175.80.1	192.168.2.9
Jan 15, 2025 02:53:17.002770901 CET	445	50029	130.175.80.1	192.168.2.9
Jan 15, 2025 02:53:17.115262032 CET	50097	445	192.168.2.9	206.13.39.203
Jan 15, 2025 02:53:17.120171070 CET	445	50097	206.13.39.203	192.168.2.9
Jan 15, 2025 02:53:17.120234013 CET	50097	445	192.168.2.9	206.13.39.203
Jan 15, 2025 02:53:17.120259047 CET	50097	445	192.168.2.9	206.13.39.203
Jan 15, 2025 02:53:17.120378971 CET	50098	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.128519058 CET	445	50098	206.13.39.1	192.168.2.9
Jan 15, 2025 02:53:17.128550053 CET	445	50097	206.13.39.203	192.168.2.9
Jan 15, 2025 02:53:17.128597021 CET	50098	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.128608942 CET	50097	445	192.168.2.9	206.13.39.203
Jan 15, 2025 02:53:17.128674030 CET	50098	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.128943920 CET	50099	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.133943081 CET	445	50098	206.13.39.1	192.168.2.9
Jan 15, 2025 02:53:17.133975983 CET	445	50099	206.13.39.1	192.168.2.9
Jan 15, 2025 02:53:17.134010077 CET	50098	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.134037971 CET	50099	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.134090900 CET	50099	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:17.138940096 CET	445	50099	206.13.39.1	192.168.2.9
Jan 15, 2025 02:53:18.018397093 CET	50101	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:18.023350000 CET	445	50101	89.64.173.1	192.168.2.9
Jan 15, 2025 02:53:18.023436069 CET	50101	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:18.023457050 CET	50101	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:18.028402090 CET	445	50101	89.64.173.1	192.168.2.9
Jan 15, 2025 02:53:18.608661890 CET	445	50031	105.132.39.2	192.168.2.9
Jan 15, 2025 02:53:18.608753920 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:53:18.608818054 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:53:18.608899117 CET	50031	445	192.168.2.9	105.132.39.2
Jan 15, 2025 02:53:18.613600969 CET	445	50031	105.132.39.2	192.168.2.9
Jan 15, 2025 02:53:18.613653898 CET	445	50031	105.132.39.2	192.168.2.9
Jan 15, 2025 02:53:18.674412012 CET	50103	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.679366112 CET	445	50103	105.132.39.3	192.168.2.9
Jan 15, 2025 02:53:18.679485083 CET	50103	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.679485083 CET	50103	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.679917097 CET	50104	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.684541941 CET	445	50103	105.132.39.3	192.168.2.9
Jan 15, 2025 02:53:18.684607029 CET	50103	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.684787035 CET	445	50104	105.132.39.3	192.168.2.9
Jan 15, 2025 02:53:18.684885979 CET	50104	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.684886932 CET	50104	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:18.689795017 CET	445	50104	105.132.39.3	192.168.2.9
Jan 15, 2025 02:53:19.033474922 CET	445	50034	158.170.93.1	192.168.2.9
Jan 15, 2025 02:53:19.033549070 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:19.033582926 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:19.033615112 CET	50034	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:19.038491964 CET	445	50034	158.170.93.1	192.168.2.9
Jan 15, 2025 02:53:19.038522005 CET	445	50034	158.170.93.1	192.168.2.9
Jan 15, 2025 02:53:19.278458118 CET	445	50035	9.126.239.1	192.168.2.9
Jan 15, 2025 02:53:19.278517008 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:53:19.278600931 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:53:19.278655052 CET	50035	445	192.168.2.9	9.126.239.1
Jan 15, 2025 02:53:19.283524036 CET	445	50035	9.126.239.1	192.168.2.9
Jan 15, 2025 02:53:19.283535004 CET	445	50035	9.126.239.1	192.168.2.9
Jan 15, 2025 02:53:19.330643892 CET	50107	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.335493088 CET	445	50107	9.126.239.2	192.168.2.9
Jan 15, 2025 02:53:19.335558891 CET	50107	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.335580111 CET	50107	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.335993052 CET	50108	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.340506077 CET	445	50107	9.126.239.2	192.168.2.9
Jan 15, 2025 02:53:19.340562105 CET	50107	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.340848923 CET	445	50108	9.126.239.2	192.168.2.9
Jan 15, 2025 02:53:19.340922117 CET	50108	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.340967894 CET	50108	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:19.345798969 CET	445	50108	9.126.239.2	192.168.2.9
Jan 15, 2025 02:53:19.731574059 CET	445	50037	190.228.30.2	192.168.2.9
Jan 15, 2025 02:53:19.731653929 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:19.731688023 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:19.731762886 CET	50037	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:19.736629963 CET	445	50037	190.228.30.2	192.168.2.9
Jan 15, 2025 02:53:19.736660957 CET	445	50037	190.228.30.2	192.168.2.9
Jan 15, 2025 02:53:20.002805948 CET	50111	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:20.007756948 CET	445	50111	130.175.80.1	192.168.2.9
Jan 15, 2025 02:53:20.007860899 CET	50111	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:20.007860899 CET	50111	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:20.012829065 CET	445	50111	130.175.80.1	192.168.2.9
Jan 15, 2025 02:53:21.257289886 CET	445	50041	78.233.46.1	192.168.2.9
Jan 15, 2025 02:53:21.257352114 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:53:21.257442951 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:53:21.257463932 CET	50041	445	192.168.2.9	78.233.46.1
Jan 15, 2025 02:53:21.262237072 CET	445	50041	78.233.46.1	192.168.2.9
Jan 15, 2025 02:53:21.262247086 CET	445	50041	78.233.46.1	192.168.2.9
Jan 15, 2025 02:53:21.315133095 CET	50120	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.321662903 CET	445	50120	78.233.46.2	192.168.2.9
Jan 15, 2025 02:53:21.321738005 CET	50120	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.321782112 CET	50120	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.322114944 CET	50121	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.328463078 CET	445	50120	78.233.46.2	192.168.2.9
Jan 15, 2025 02:53:21.328522921 CET	50120	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.328630924 CET	445	50121	78.233.46.2	192.168.2.9
Jan 15, 2025 02:53:21.328702927 CET	50121	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.328702927 CET	50121	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:21.335344076 CET	445	50121	78.233.46.2	192.168.2.9
Jan 15, 2025 02:53:22.049374104 CET	50128	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:22.054461956 CET	445	50128	158.170.93.1	192.168.2.9
Jan 15, 2025 02:53:22.054553986 CET	50128	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:22.054610968 CET	50128	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:22.059412956 CET	445	50128	158.170.93.1	192.168.2.9
Jan 15, 2025 02:53:22.736937046 CET	50135	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:22.741942883 CET	445	50135	190.228.30.2	192.168.2.9
Jan 15, 2025 02:53:22.742012024 CET	50135	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:22.742057085 CET	50135	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:22.746884108 CET	445	50135	190.228.30.2	192.168.2.9
Jan 15, 2025 02:53:22.969964027 CET	445	50044	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:22.970170975 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:22.970248938 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:22.970249891 CET	50044	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:22.976686001 CET	445	50044	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:22.976701021 CET	445	50044	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:23.280997038 CET	445	50045	201.22.142.1	192.168.2.9
Jan 15, 2025 02:53:23.281061888 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:23.281109095 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:23.281913996 CET	50045	445	192.168.2.9	201.22.142.1
Jan 15, 2025 02:53:23.286885023 CET	445	50045	201.22.142.1	192.168.2.9
Jan 15, 2025 02:53:23.287854910 CET	445	50045	201.22.142.1	192.168.2.9
Jan 15, 2025 02:53:23.347585917 CET	50143	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.353216887 CET	445	50143	201.22.142.2	192.168.2.9
Jan 15, 2025 02:53:23.353384972 CET	50143	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.353420019 CET	50143	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.353718996 CET	50144	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.358619928 CET	445	50143	201.22.142.2	192.168.2.9
Jan 15, 2025 02:53:23.358635902 CET	445	50144	201.22.142.2	192.168.2.9
Jan 15, 2025 02:53:23.358675003 CET	50143	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.358702898 CET	50144	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.358742952 CET	50144	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:23.363627911 CET	445	50144	201.22.142.2	192.168.2.9
Jan 15, 2025 02:53:24.671550035 CET	445	50048	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:24.671644926 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:24.671669006 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:24.671713114 CET	50048	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:24.676577091 CET	445	50048	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:24.676594973 CET	445	50048	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:25.279793024 CET	445	50049	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:25.280028105 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:25.280028105 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:25.280028105 CET	50049	445	192.168.2.9	98.165.245.1
Jan 15, 2025 02:53:25.285419941 CET	445	50049	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:25.285470963 CET	445	50049	98.165.245.1	192.168.2.9
Jan 15, 2025 02:53:25.330558062 CET	50178	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.335426092 CET	445	50178	98.165.245.2	192.168.2.9
Jan 15, 2025 02:53:25.335500002 CET	50178	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.335514069 CET	50178	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.335789919 CET	50179	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.340568066 CET	445	50178	98.165.245.2	192.168.2.9
Jan 15, 2025 02:53:25.340620995 CET	50178	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.340646982 CET	445	50179	98.165.245.2	192.168.2.9
Jan 15, 2025 02:53:25.341278076 CET	50179	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.341278076 CET	50179	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:25.346105099 CET	445	50179	98.165.245.2	192.168.2.9
Jan 15, 2025 02:53:25.971630096 CET	50195	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:25.976531029 CET	445	50195	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:25.976618052 CET	50195	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:25.976705074 CET	50195	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:25.981476068 CET	445	50195	159.48.29.1	192.168.2.9
Jan 15, 2025 02:53:26.296298027 CET	445	50053	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:26.296375990 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:26.296442986 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:26.296555042 CET	50053	445	192.168.2.9	86.133.180.1
Jan 15, 2025 02:53:26.301429987 CET	445	50053	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:26.301460028 CET	445	50053	86.133.180.1	192.168.2.9
Jan 15, 2025 02:53:27.436793089 CET	445	50054	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:27.436968088 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:27.436968088 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:27.436968088 CET	50054	445	192.168.2.9	136.179.52.1
Jan 15, 2025 02:53:27.441891909 CET	445	50054	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:27.441942930 CET	445	50054	136.179.52.1	192.168.2.9
Jan 15, 2025 02:53:27.502598047 CET	50247	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.507504940 CET	445	50247	136.179.52.2	192.168.2.9
Jan 15, 2025 02:53:27.507616997 CET	50247	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.507872105 CET	50247	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.507997990 CET	50248	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.512727022 CET	445	50247	136.179.52.2	192.168.2.9
Jan 15, 2025 02:53:27.512801886 CET	50247	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.512814999 CET	445	50248	136.179.52.2	192.168.2.9
Jan 15, 2025 02:53:27.512878895 CET	50248	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.512959003 CET	50248	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:27.517788887 CET	445	50248	136.179.52.2	192.168.2.9
Jan 15, 2025 02:53:27.654476881 CET	445	50056	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:27.654556036 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:27.654599905 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:27.654599905 CET	50056	445	192.168.2.9	185.92.212.2
Jan 15, 2025 02:53:27.659560919 CET	445	50056	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:27.659591913 CET	445	50056	185.92.212.2	192.168.2.9
Jan 15, 2025 02:53:27.674429893 CET	50255	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:27.679377079 CET	445	50255	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:27.679469109 CET	50255	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:27.679469109 CET	50255	445	192.168.2.9	152.242.192.1
Jan 15, 2025 02:53:27.684405088 CET	445	50255	152.242.192.1	192.168.2.9
Jan 15, 2025 02:53:27.862756968 CET	445	50059	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:27.862844944 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:27.862876892 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:27.862917900 CET	50059	445	192.168.2.9	61.53.130.1
Jan 15, 2025 02:53:27.867764950 CET	445	50059	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:27.867794037 CET	445	50059	61.53.130.1	192.168.2.9
Jan 15, 2025 02:53:29.282638073 CET	445	50062	113.88.91.1	192.168.2.9
Jan 15, 2025 02:53:29.282694101 CET	50062	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:29.419375896 CET	445	50063	65.24.132.1	192.168.2.9
Jan 15, 2025 02:53:29.419486046 CET	50063	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:30.575584888 CET	445	50066	5.219.67.1	192.168.2.9
Jan 15, 2025 02:53:30.575639009 CET	50066	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:30.796056986 CET	50128	445	192.168.2.9	158.170.93.1
Jan 15, 2025 02:53:30.796081066 CET	50135	445	192.168.2.9	190.228.30.2
Jan 15, 2025 02:53:30.796092033 CET	50179	445	192.168.2.9	98.165.245.2
Jan 15, 2025 02:53:30.796130896 CET	50121	445	192.168.2.9	78.233.46.2
Jan 15, 2025 02:53:30.796170950 CET	50101	445	192.168.2.9	89.64.173.1
Jan 15, 2025 02:53:30.796180964 CET	50084	445	192.168.2.9	132.224.47.1
Jan 15, 2025 02:53:30.796207905 CET	50099	445	192.168.2.9	206.13.39.1
Jan 15, 2025 02:53:30.796283007 CET	50075	445	192.168.2.9	173.7.196.1
Jan 15, 2025 02:53:30.796305895 CET	50104	445	192.168.2.9	105.132.39.3
Jan 15, 2025 02:53:30.796339035 CET	50074	445	192.168.2.9	48.0.238.1
Jan 15, 2025 02:53:30.796375036 CET	50248	445	192.168.2.9	136.179.52.2
Jan 15, 2025 02:53:30.796376944 CET	50071	445	192.168.2.9	134.82.208.1
Jan 15, 2025 02:53:30.796446085 CET	50063	445	192.168.2.9	65.24.132.1
Jan 15, 2025 02:53:30.796499968 CET	50067	445	192.168.2.9	54.65.187.1
Jan 15, 2025 02:53:30.796514034 CET	50080	445	192.168.2.9	40.90.175.2
Jan 15, 2025 02:53:30.796648979 CET	50090	445	192.168.2.9	31.13.181.2
Jan 15, 2025 02:53:30.796675920 CET	50111	445	192.168.2.9	130.175.80.1
Jan 15, 2025 02:53:30.796690941 CET	50062	445	192.168.2.9	113.88.91.1
Jan 15, 2025 02:53:30.796717882 CET	50066	445	192.168.2.9	5.219.67.1
Jan 15, 2025 02:53:30.796757936 CET	50068	445	192.168.2.9	103.231.236.3
Jan 15, 2025 02:53:30.796777010 CET	50078	445	192.168.2.9	17.6.41.1
Jan 15, 2025 02:53:30.796813965 CET	50083	445	192.168.2.9	172.49.248.1
Jan 15, 2025 02:53:30.796834946 CET	50087	445	192.168.2.9	40.79.112.1
Jan 15, 2025 02:53:30.796854019 CET	50093	445	192.168.2.9	170.13.171.1
Jan 15, 2025 02:53:30.796874046 CET	50096	445	192.168.2.9	6.122.130.1
Jan 15, 2025 02:53:30.796941996 CET	50108	445	192.168.2.9	9.126.239.2
Jan 15, 2025 02:53:30.796973944 CET	50144	445	192.168.2.9	201.22.142.2
Jan 15, 2025 02:53:30.796973944 CET	50195	445	192.168.2.9	159.48.29.1
Jan 15, 2025 02:53:30.797024012 CET	50255	445	192.168.2.9	152.242.192.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:52:23.293870926 CET	61146	53	192.168.2.9	1.1.1.1
Jan 15, 2025 02:52:23.301310062 CET	53	61146	1.1.1.1	192.168.2.9
Jan 15, 2025 02:53:10.132354975 CET	138	138	192.168.2.9	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 02:52:23.293870926 CET	192.168.2.9	1.1.1.1	0x488e	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 02:52:23.301310062 CET	1.1.1.1	192.168.2.9	0x488e	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:52:23.301310062 CET	1.1.1.1	192.168.2.9	0x488e	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	104.16.166.228	80	7520	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:23.355256081 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:23.829896927 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:23 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902239e47ab47ce4-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	104.16.166.228	80	7640	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:24.778357029 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:25.323154926 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:25 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902239ed8c5e0ca0-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49716	104.16.166.228	80	7712	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:25.611505985 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:26.107903957 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:26 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902239f2bc700cb4-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	0
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll"
Imagebase:	0x530000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\330tqxXVzm.dll,PlayGame
Imagebase:	0xc80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",#1
Imagebase:	0xc80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:52:21
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	5CE0C05BC5A5A786C0623C16C2D8B3A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1388044260.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1388188707.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:52:22
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	5CE0C05BC5A5A786C0623C16C2D8B3A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1402890609.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2051591528.0000000001EB9000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1403526923.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2051893134.00000000023E1000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:52:24
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\330tqxXVzm.dll",PlayGame
Imagebase:	0xc80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:52:24
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	5CE0C05BC5A5A786C0623C16C2D8B3A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1415685359.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1425963319.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1415917565.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1426139910.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:52:24
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	29868284EA8EB1D5DB9949A9112CBAB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1417150192.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:52:25
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	29868284EA8EB1D5DB9949A9112CBAB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.1425190508.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.1424435837.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D
CreateFileA, xrefs: 00407D0F
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000006.00000002.1419100230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1419058417.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419129022.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419249332.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1419100230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1419058417.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419129022.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419249332.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1419100230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1419058417.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419129022.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419249332.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.1419100230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1419058417.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419129022.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419249332.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1419100230.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1419058417.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419129022.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419155775.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419249332.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1419702179.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7640, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F9B0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2050698744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2050680211.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050715475.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050775911.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050790574.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2050698744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2050680211.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050715475.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050775911.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050790574.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F9B0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000008.00000002.2050698744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2050680211.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050715475.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050775911.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050790574.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F9B0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\qeriuwjhrf, xrefs: 00407E12
kernel32.dll, xrefs: 00407CEA
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
C:\%s\%s, xrefs: 00407DFB
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000008.00000002.2050698744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2050680211.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050715475.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050775911.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050790574.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2050698744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2050680211.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050715475.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050728875.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050761683.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050775911.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050790574.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2050873173.000000000080A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 7752, Parent PID: 7520COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
/../, xrefs: 00406DF5
\..\, xrefs: 00406DD9
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptGenKey, xrefs: 00401AAD
CryptDestroyKey, xrefs: 00401A86
CryptAcquireContextA, xrefs: 00401A71
CryptDecrypt, xrefs: 00401AA0
CryptEncrypt, xrefs: 00401A93
advapi32.dll, xrefs: 00401A55
CryptImportKey, xrefs: 00401A79

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

CreateFileW, xrefs: 00401743
kernel32.dll, xrefs: 00401727
MoveFileExW, xrefs: 00401772
DeleteFileW, xrefs: 0040177F
CloseHandle, xrefs: 0040178C
ReadFile, xrefs: 00401758
MoveFileW, xrefs: 00401765
WriteFile, xrefs: 0040174B

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00407389
:, xrefs: 0040736E
\, xrefs: 00407358
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

tasksche.exe, xrefs: 00402061, 0040206D, 00402075
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
t.wnry, xrefs: 00402125
TaskStart, xrefs: 00402145
attrib +h ., xrefs: 004020DC

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMulusermePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

WanaCrypt0r, xrefs: 00401145
0@, xrefs: 00401157
Software\, xrefs: 0040110A

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

kernel32.dll, xrefs: 0040228C
?!@, xrefs: 004021F8
GetNativeSystemInfo, xrefs: 004022A1

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 0000000B.00000002.1418302397.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.1418274936.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418335575.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418369242.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.1418396459.00000000004FA000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 330tqxXVzm.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
330tqxXVzm.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON